DNSSEC with 9.7.2-P2

Alan Clegg aclegg at isc.org
Fri Nov 12 14:51:37 UTC 2010

On 11/12/2010 7:49 AM, David Forrest wrote:
> While running BIND 9.7.2-P2 built with defaults on F11


> and, on checking named.conf, I found the entry for br. as:
> trusted-keys {
>     "br." 257 3 5
> "AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPqXr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1NGbGfs513y6dy1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hNx94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNpy6AM=";
> };

If Fedora 11 (I'm assuming that is what "F11" is) has built in
trust-anchors in the distributed named.conf, someone needs to talk to

As already noted, the root is signed, inserting individual keys into the
named.conf for TLDs that are signed and have DS records in the root is a
really, REALLY bad idea.

Doing a search for relevant keywords proves that yes, Fedora 11 ships
with a broken configuration and the recommendation (from those that seem
to know no better) is "ooh, DNSSEC BAD, turn it off".


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101112/9422c6cc/attachment.bin>

More information about the bind-users mailing list